TechRepublic is reporting on a Securities and Exchange Commission update to a 2011 cyber security statement, stating US publicly traded companies will be required to disclose in a timely manner when they have been breached or there are material cyber security risks:
First, and most importantly, is that the SEC is essentially extending its interpretation of older disclosure rules to cover cybersecurity. If you are familiar at all with SEC disclosure guidelines under Securities Act of 1933 and the Securities Exchange act of 1934 these new guidelines won’t appear very different—the SEC even wants disclosures filed on the same forms.
As the original 2011 statement said, “although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, companies nonetheless may be obligated to disclose such risks and incidents.”
What this new interpretive statement does is reinforce and expand the 2011 original, along with adding an important section designed to crack down on insiders trading stock based on undisclosed knowledge of a cyber attack—something important to consider in the wake of stock dumping accusations surrounding the Equifax breach (of which executives were later cleared in an internal investigation).
What the SEC has to say on that particular front is clear: “directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.”
In other words, disclose incidents immediately to prevent even the appearance of impropriety.
It should be obvious to anyone that disclosure should be mandatory. However, most companies will act in the best interest of the officers running the company, and therefore often times will attempt to hide breaches from the public. This is harmful in so many ways that it is almost unbelievable in 2018 there are no actual legally binding requirements.